[rsbac] RSBAC+GRSecurity

Bencsath Boldizsar boldi at datacontact.hu
Sun Aug 7 11:32:34 CEST 2005 

Hello Golem,
Yes, It's not the best option to patch a kernel with both security
patches, as it can rise problems. Practically, I used to make such
multi-patched kernel. The method is already described in this thread:
first I patch a vanilla kernel with one system (eg. rsbac) then with the
other (eg. grsec) then manually fix all rejected patches, finally at
compile time I fix (sometimes, eg. socket.c) the remaining problems.
Of course, I cannot be confident about the second patch, Yes, it can
happen, that some parts go to the wrong place in the kernel, but unless
You really use eg. MAC in both packages this won't hurt too much. (Or, I
can say, no such "big" error occoured up to now.)
My rsbac+grsec+openswan+tproxy patched kernels are downloadable at
http://www.boldi.hu/programs/rsbac/
(latest is 2.4.29, now I just try to make a 2.4.32, but I have some
problems...)
boldizsar

--------------------------------
Bencsath Boldizsar
--------------------------------

On Sun, 7 Aug 2005, ????? ?????????? wrote:

> Hi.
> I understand you.
> But i think it's bad to apply patch on alredy patched code, because we dont know, how they would be merged.
> And so i ask to explane me - what diff file include MAC and other modules, i want just delete them from GRSec patch, and apply it.
> Golem.
>
> -----Original Message-----
> From: Rumen Yotov <rumen_yotov at dir.bg>
> To: RSBAC Discussion and Announcements <rsbac at rsbac.org>
> Date: Sat, 06 Aug 2005 21:28:44 +0300
> Subject: Re: [rsbac] RSBAC+GRSecurity
>
> >
> > ????? ?????????? wrote:
> >
> > >Hi all.
> > >I want to use RSBAC with GRSecurity patch.
> > >I use RSBAC sources from Gentoo distrib, and try to patch it by GRSecurity patch.
> > >But at the end (everytime, when patch ask to apply patch anyway, i say 'no'), i have i kernel config 2 PaX section (Security section), one
> before,
> > >and one after GRSecurity section.
> > >Some one can explane - how to patch correctly?
> > >Bye, Golem.
> > >_______________________________________________
> > >rsbac mailing list
> > >rsbac at rsbac.org
> > >http://www.rsbac.org/mailman/listinfo/rsbac
> > >
> > >
> > Hi,
> > Not much help here but anyway, IMHO latest RSBAC has PaX included, which
> > is also true for GRSecurity. But that's not the biggest problem.
> > Maybe a bigger one is the fact that both RSBAC&grsec2 have some sort of
> > MandatoryAccessControl (MAC) which is common for both (e.g. ACL,sec.
> > capabilities etc.). Technically just unpack some vanilla kernel and
> > manually apply the patches, then look out for any rejects (patch order
> > is also important). See also "man patch".
> > Using Gentoo too, here just compile the kernel step by step:
> > 1.ebuild /usr/portage/sys-kernel/rsbac-sources-2.6.11-r3/rX unpack (this
> > will only unpack and patch the sources);
> > 2.Then go to: /var/tmp/portage/linux-2.6.11-rsbac-r3/work directory and
> > apply the patch (GRSEC2) manually, it too has the PaX patch integrated;
> > 3.ebuild /usr/portage/sys-kernel/rsbac-sources-2.6.11-r3 install (will
> > make 'compile&install' steps) does nothing here as this is just kernel
> > source, but the steps must be made in order to be able to make the next one;
> > 4.ebuild /usr/portage/sys-kernel/rsbac-sources-2.6.11-r3 qmerge (merge
> > step - copy to usr/src/linux dir);
> > 5.ebuild /usr/portage/sys-kernel/rsbac-sources-2.6.11-r3 clean (to clean
> > the work dir, it's more then 250MB ;)
> > Or edit the ebuild and include the grsec patch too (epatch function);
> > HTH. Rumen
> >
> > ATTACHMENT: application/x-pkcs7-signature ("smime.p7s")
> >
> > _______________________________________________
> > rsbac mailing list
> > rsbac at rsbac.org
> > http://www.rsbac.org/mailman/listinfo/rsbac
> >
>
> Bye, g01Em.
>
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac

More information about the rsbac mailing list